State AGs Eye Google Over Google+ Security Flaw

Several state attorneys general are reviewing a decision by Alphabet Inc.'s Google not to disclose a security glitch that exposed the data of at least 500,000 Google+ users.

An official with the Massachusetts attorney general’s office said Oct. 9 it is monitoring the situation. California’s attorney general’s office is concerned about data breaches that impact Californians, a state official who asked not to be identified because the person wasn’t authorized to discuss the matter told Bloomberg Law. A spokesperson for the Connecticut attorney general said the office is trying to understand the scope of the security incident.

Google said it wasn’t required to notify regulators or users under state data breach notification laws because no data was compromised.

Even if the data wasn’t improperly accessed, attorneys general could still launch investigations under state consumer protection statutes that say companies must live up to promises they make about protecting data, Robert Braun, co-chair of Jeffer Mangels Butler & Mitchell’s cybersecurity and practice, told Bloomberg Law Oct. 9.

State regulators “have a variety of basis for which they can launch investigations, including state consumer protection laws,” Braun said. They could argue that Google “implicitly or explicitly made representations that information was protected when it wasn’t,” he said.

Google said it didn’t go public with what it called a bug out of concern that doing so would trigger a regulatory backlash, according to the Wall Street Journal, which first reported the story Oct. 8. Google’s global privacy policy, which covers Google+, said as of Oct. 9 that “all Google products are built with strong security features that continuously protect your information.”

Under data breach laws in all 50 states and the District of Columbia, companies are generally required to alert state regulators and consumers when the company believes that unencrypted sensitive personal data is, or is reasonably believed to be, accessed by an unauthorized third party.

Businesses are often left to decide for themselves if personal data was improperly accessed, Braun said. It is a “genuinely hard question on whether they should disclose and if they did what should they disclose,” he said.

Google’s privacy office reviewed the incident and found no evidence of data misuse, the company said in an Oct. 8 blog post. The software bug was “limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age,” and not data on other Google services, it said. Google didn’t immediately respond to Bloomberg Law’s email request for comment.

State attorneys general have been willing to probe Silicon Valley giants for privacy and cybersecurity shortcomings in the past. All 50 states and the District of Columbia settled with Uber Technologies Inc. for $148 million Sept. 26 over its failure to report a 2016 data breach which exposed the names, phone numbers and email addresses of more than 20 million people.

Google likely didn’t have any direct state data breach notification obligations because it determined third parties didn’t access the exposed data, Braun said.

Still, the “delay causes a degree of mistrust,” Scott Vernick, a partner at Fox Rothschild in Philadelphia specializing in data privacy, told Bloomberg Law, referring to the time between the discovery of the vulnerability and Google’s disclosure. “Even if in reality, or as a practical matter, there isn’t any there there, it is the delay that casts a pall of suspicion over the events,” he said.